> ## Documentation Index
> Fetch the complete documentation index at: https://docs.aegister.com/llms.txt
> Use this file to discover all available pages before exploring further.

# How It Works

> Learn how the Cloud Defender system integrates Cloud WAF and OneFirewall Threat Prevention to analyze and protect web traffic.

Aegister Cloud Defender secures web applications by analyzing inbound traffic in real time. The process has several stages:

<img src="https://mintcdn.com/aegisterspa-1426e47d/aOgMPFGVmmaPqUWw/images/cloud-defender-how.png?fit=max&auto=format&n=aOgMPFGVmmaPqUWw&q=85&s=ef14d59bdd615c42cd3c7de6bf3dbee5" alt="How It Works" width="2356" height="572" data-path="images/cloud-defender-how.png" />

## Connection and Integration

* The domain **secure.aegister.com** connects to Cloud Defender through the **Cloud\_External\_IP\_Address**.
* The system combines **Cloud WAF** and **OneFirewall Threat Prevention** for layered protection.

## Request Handling

* When a client sends a request, for example to **client1.domain1.com**:
  * **client1.domain1.com** is set up as a **CNAME for secure.aegister.com**.
  * The request carries the originating IP address and the **X-Forwarded-For** header, which trace the traffic's path.

## Traffic Analysis

* Client traffic flows through Cloud Defender (the **"blue tunnel"** in the diagram), where two checks run:
  * **Threat Intelligence Analysis:** continuously updated WAF rules score the risk of each request.
  * **Traffic Evaluation:** further queries to client domains or hostnames verify the traffic's origin and authenticity.

## Decision and Action

* The system acts on the analysis:
  * If the traffic is safe, it **grants** access to the endpoint behind **client1.domain1.com**.
  * If it detects a high risk level or a malicious IP, it **blocks** the request and denies access.

This workflow lets only legitimate traffic reach your web applications, protecting clients from cyber threats.